2020 has been a landmark year for new developments in macOS threat actor tactics. These include shifts to shell scripts, using alternative programming languages like Rust and Go, and notably, bypassing Apple’s notarization security checks through steganography. Many of these new techniques exploit new changes and developments. Still, one newer technique takes the opposite tack and leverages legacy technology that’s been around since Mac OS 9 to hide its malware payload on macOS 10.15 and beyond. It’s referred to as a resource fork.
What’s a Resource Fork and Why Do Hackers Use It?
A resource fork is a named fork, a legacy file system technology used to store structured data like image thumbnails, window data and code. Instead of storing information in a series of bytes, a resource fork keeps data in a structured record, similar to a database. The resource fork does not have a size limit, and the fork is not visible directly in either the Finder or Terminal.
Unfortunately, many traditional file scanners will not pick up this technique, which has been used to distribute Bundlore. One trait that identifies these kinds of files is the extreme length of obfuscated or encrypted code, typically base64, which is abnormal for legitimate software.
By hiding encrypted and compressed files in the named resource fork, hackers hope to evade certain kinds of scanning engines. Bundlore can be found in the wild on sites that offer “free” versions of popular software, including the “mysoftwarefree” site. This site gives users a too good to be true, free copy of Office 365. Users are informed to remove any current installation of Office and download a free trial from Microsoft and then download the “required files” from the malicious site to obtain a quote “full version of Office 365 ProPlus, without any limitations”. Once victims take the bait, a file named “dmg” is downloaded to the user’s device with a typical “Bundlore/Shlayer” dropper.
The technique of hiding malware in a file’s resource fork is the latest trick utilized by macOS malware authors to evade defensive tools. Although it is not particularly sophisticated and easy to spot, it’s a creative way to bypass certain tools not supported by dynamic and static AI detection methods.